What are Hypertext Transfer Protocol methods/ HTTP methods?
For communication between client and server Internet, protocol suite uses HTTP.
HTTP work as request and response protocol between client and server means when a user visit application on browser a request is send to server and server send the response back. In response, we can see response code i.e. according to the request. It all happen with the help of HTTP.
To perform all HTTP have different methods and each method has its own significance.
Note: HTTP method name are case sensitive and everywhere they are used in UPPER CASE.
1. GET: To retrieve the information from server for a given URL. Therefore, as we are fetching the information we cannot make any updation on data.
If resource found I will return (200 OK) status code otherwise return 404 (Not Found) status code.
i. As it can be cached and can be save in browser history, so it can increase the performance of application.
i. It is always recommend while fetching sensitive information developer never use GET methods. As it is visible on URL.
ii. Fetching data also have length constraints.
2. HEAD: It is same as GET but there is no body in response. So it is mostly used before GET to check what GET request will going to return.
3. POST: It is used to send the data to server for a given URL. IT can create new entry in database.
i. Creating data do not have length constraints and user can send sensitive information.
i. As it cannot be cached and cannot be saved in browser history. So it may effect performance.
4. PUT: PUT are same as POST but in POST we can create new entry in database but with Put we only did updation on those entry.
5. DELETE: IT delete all the resource of specified URL.
6. OPTIONS: By using this method, we can see what communication options are avaible in the specified target.
7. TRACE: For specified target, it will perform loopback test to diagnose the target and provide information that can be used to exploit the application.
So if it is enabled, server will echo the exact request that server received as input from client.
i. As it disclose information sometimes that information give some valuable information such as internal header. Then if hacker can use those header in request may be escalate his privilege.
Note: Initially it is used to bypass HttpOnly attribute of cookie but it’s not possible nowadays.
What is information disclosure and how does it affect the application. If you want to check in depth, please check my previous blog:
i. Client want to access a resource.
ii. Client send a request to server, browser automatically appends the methods needed.
We have an application at time of intercepting the traffic I just check what HTTP methods are enabled, is they help us to provide any information. Sometime developer does not give priority to set the methods properly or even they do not know what method should be implemented here such as in case of
third-party technology whose has vast array of configuration options.
Intercepted traffic look like:
Forward this request in repeater and try to change its HTTP methods.
I modified method to POST
After modification in response, I got “404 Not Found“.
Now I try to modified method to “OPTIONS” to check what options are enabled at server side.
I am getting same as response as in case of “POST” method.
Now I try to check it with “TRACE” method is any information is disclosed or not?
As soon as I modified the method and forward the request in response I got one header i.e. “X-Custom-IP-Authorization” with my local IP. As we already know TRACE method disclose information but now we have to check is this information is valuable for us or not?
After seeing this header, it seems it is internal authentication header. So we try to extra this information of admin interface. I modified the interface and send the request.
In response I got
It means that pass this header with local loop back IP i.t. 127.0.0.1.
So, we try add this header in request “X-Custom-IP-Authorization”.
Go to Proxy -> Options -> Match and Replace
Here add one header with “Blank” and replace I with “X-Custom-IP-Authorization”.
Again start the intercepting the request. And check the response.
As forward this request I got admin panel on User interface.
We can see after adding one header we got admin panel. So in these type of cases it will be harmful to open the HTTP methods.
Enable only those methods on web server that are necessary for application.